Personal information being held by an organization shall be revealed, at no charge, to the individual upon request.

The bill adjusts how the right to be forgotten will be administered, noting that the

… principle difference is a strengthening of the law from being applicable when substantial damage or distress is likely to be caused, to whenever a data subject withdraws their original consent for the data to be available, as long as it is no longer necessary or legally required for the grounds on which it was originally collected, or there are no overriding legitimate grounds for processing.

The UK data regulator, the Information Commissioner’s Office (ICO), has created a data protection self-assessment toolkit to assist organizations in their efforts to be compliant with the GDPR which comes into force in May 2018. The modules include data protection assurance, getting ready for the GDPR, information security, direct marketing, records management, data sharing and subject access, and CCTV.

The ICO, in a follow-up to its publication of the draft data protection bill, took a stab at slaying some of the myths finding their way into the headlines, which characterized the GDPR as a vehicle to greater fines for those with infractions. In her piece, the Information Commissioner, Elizabeth Denham, makes clear that “this law is not about fines. It’s about putting the consumer and citizen first.” Denham also states that she will be providing myth-busting guidance in the weeks ahead via the ICO’s blog.

What’s missing from the ICO’s proposed bill?

Search engines!

The bill speaks to social networks and organizations, but not to search engines.

If you are an EU resident, you can ask Google to remove a URL from its search results by filling out the EU Privacy Removal form. That removes it from search results, but if you want the offending content taken down, you’ll have to ask the site it’s hosted on to remove it.

What about the other side of the pond?

The United States has limited “right to be forgotten” statutes available to its residents. The Electronic Privacy Information Center tells us of laws across the states that “allow individuals to remove records containing disparaging information, including personal bankruptcy and juvenile criminal history”.

California has a law in place “California Eraser Law” which provides minors the right to request information be removed from websites or online applications.

New York State Assembly is considering a “right to be forgotten act” Bill A05323, sponsored by Rep. David Weprin (D-23), which calls for search engines, publishers and indexers who make information about an individual available to “remove such information, upon the request of the individual, within 30 days of such a request”. Rather broad brushed, without consideration for the First Amendment, scholarly research and the like.

In Canada, meanwhile, Google has been ordered to remove entire domains and websites by the Canadian courts. Thus, as the Electronic Frontier Foundation tells us, in effect “making them invisible to everyone using Google’s search engine”.

What’s the back story?

We’ve been discussing the right to be forgotten for a good number of years. In her book, Ctrl-Z: The Right to be Forgotten, Meg Leta Jones identifies two cases as having instigated the discussion.

The first concerned Mario Costeja Gonzalez and his request to have a newspaper remove information about his property and insolvency proceedings. When the paper refused Gonzalez, he asked Google remove the information from search results, they declined and Gonzalez took Google to court and won. Contemporaneously, in the United States, two American Idol contestants sued a number of defendants about online content which served to have them disqualified from the program. Their cases was thrown out, because the information was “true.”

Then there is the Google Bomb phenomena, which is when people try artificially to boost a website in the search rankings by linking to it from other websites – which can be done for many reasons including malicious ones, such as when the author of Google Bomb, Sue Scheff, found herself the subject of the ill-intentioned individuals spreading falsehoods.

For now, if you are in the EU or the UK, you’ve a path to removing information from organization’s databases, as well as search engines. Elsewhere, the discussions continues both in and out of the legal systems.

Post navigation

About the author

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.